[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: re. name cert meaning

To: Curtis Yarvin <Curtis_Yarvin@geoworks.com>
Subject: Re: re. name cert meaning
From: Carl Ellison <cme@cybercash.com>
Date: Thu, 12 Mar 1998 10:51:12 -0500
Cc: spki@c2.net
In-Reply-To: <199802131820.KAA08089@ammonia.geoworks.com>
References: <3.0.3.32.19980212180717.00a24370@cybercash.com>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 10:20 AM 2/13/98 -0800, Curtis Yarvin wrote:
>> 
>> At 01:46 PM 1/25/98 -0700, Bryan Ford wrote:
>> >Basically, as Curtis said, a name cert is really just a statement
>> >that "principal Y is hereby authorized to use name X in my namespace."
>> 
>> to nit pick:
>> 
>> I believe the SDSI name is better defined as "X is a label by which I (the 
>> issuer) refer to principal Y (or some set of principals $Y_i$)".
>
>These may be two different things.
>
>When I said that, I was talking about X.509 naming, not SDSI
>naming.  Obviously, Carl's definition of SDSI naming is
>correct, but X.509 has a different property: it refers to
>names that have fixed meaning in the physical world.
>
>An SDSI name seems to me more like a pointer, a way of
>describing a keyholder or keyholder set that is more
>convenient than directly including a public key.  Having a
>certain SDSI name is not a privilege in and of itself.
>Being able to claim that you are the person referred to by
>an X.509 name is.

I look at X.509 names as just another formatting for SDSI names.  That is, 
one can form

(name <509-root-key> <CA-name-1> <CA-name-2> ... <leaf-name>)

and some have proposed that X.509 names need to be in that form, in order to 
be completely unambiguous.  That's a SDSI name.

The place where I believe we depart strongly from the X.509 community is 
that we have looked at the idea of a name with a fixed meaning in the 
physical world and found it wanting.  In particular, it just doesn't work -- 
and runs the danger of introducing security flaws.

Of course, anyone can build a globally unique name and we sometimes need 
them.  We have them in SPKI/SDSI -- the public key or its hash.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNQgEbxN3Wx8QwqUtAQGAGwP/WJEQxLoPclGHBXtmWG80kTgmNR9KiSIK
9g8KqHr12wl3FoWwopUx3hMPzFHsd0ABe7L4LSbotXeKJTc8KAploCjmWTJnJQ+L
XfMN2zwCMoIbLDr+5ZZHgDd0rAILJxWKkR7CVuVh3bW3jzFUR+FfD5ufk0xKvqlG
gWtlTrORhXg=
=4H3o
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

References:

re. name cert meaning

From: Carl Ellison <cme@cybercash.com>

Re: re. name cert meaning

From: Curtis Yarvin <Curtis_Yarvin@geoworks.com>

Prev by Date: Re: The role of trust in certification
Next by Date: Re: The role of trust in certification
Prev by thread: Re: re. name cert meaning
Next by thread: Re: k-of-n subjects versus k-of-n tags?
Index(es):
- Main
- Thread